danrl/ipv4-filter.sh

## ipv4-filter.sh
#!/bin/bash

echo -n "loading ipv4 packet filter... "

### clear tables
iptables --flush
iptables --delete-chain
iptables --table mangle --flush
iptables --table mangle --delete-chain


### default policies
iptables --policy INPUT   DROP
iptables --policy OUTPUT  DROP
iptables --policy FORWARD DROP


### loopback
iptables --append INPUT  --in-interface lo --jump ACCEPT
iptables --append OUTPUT --out-interface lo --jump ACCEPT


### existing connections
iptables --append INPUT  --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
iptables --append OUTPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT


### trashlog chain
iptables --new-chain trashlog
iptables --append trashlog --jump LOG --log-level notice --log-prefix "trashlog: "
iptables --append trashlog --jump DROP


### invalid packets
#iptables --append INPUT  --match conntrack --ctstate INVALID --jump trashlog
iptables --append INPUT  --match conntrack --ctstate INVALID --jump DROP

### icmp
# allow echo requests
iptables --append INPUT  --protocol icmp --icmp-type echo-request --match conntrack --ctstate NEW --jump ACCEPT
# drop the rest
iptables --append INPUT  --protocol icmp --jump DROP

### services
# ssh
iptables --append INPUT  --protocol tcp --dport 22 --match conntrack --ctstate NEW --jump ACCEPT
# ssh obscured
iptables --append INPUT  --protocol tcp --dport 5000 --match conntrack --ctstate NEW --jump ACCEPT
# random service
#iptables --append INPUT  --protocol tcp --dport 1234 --match conntrack --ctstate NEW --jump ACCEPT
# reject the rest
iptables --append INPUT  --jump REJECT

### outgoing
iptables --append OUTPUT --jump ACCEPT

echo "done!"

## ipv6-filter.sh
#!/bin/bash

echo -n "loading ipv6 packet filter... "

### clear tables
ip6tables --flush
ip6tables --delete-chain
ip6tables --table mangle --flush
ip6tables --table mangle --delete-chain


### default policies
ip6tables --policy INPUT   DROP
ip6tables --policy OUTPUT  DROP
ip6tables --policy FORWARD DROP


### loopback
ip6tables --append INPUT  --in-interface lo --jump ACCEPT
ip6tables --append OUTPUT --out-interface lo --jump ACCEPT


### existing connections
ip6tables --append INPUT  --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
ip6tables --append OUTPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT


### trashlog chain
ip6tables --new-chain trashlog
ip6tables --append trashlog --jump LOG --log-level notice --log-prefix "trashlog: "
ip6tables --append trashlog --jump DROP


### invalid packets
#ip6tables --append INPUT  --match conntrack --ctstate INVALID --jump trashlog
ip6tables --append INPUT  --match conntrack --ctstate INVALID --jump DROP

### bad extensions headers
ip6tables --append INPUT  --match rt --rt-type 0 --jump DROP

### icmpv6
# allow neighbor discovery and stateless address autoconfiguration
ip6tables --new-chain ndp-slaac
ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type router-solicitation    --match hl --hl-eq 255 --jump ACCEPT
ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type router-advertisement   --match hl --hl-eq 255 --jump ACCEPT
ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type neighbor-solicitation  --match hl --hl-eq 255 --jump ACCEPT
ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type neighbor-advertisement --match hl --hl-eq 255 --jump ACCEPT
ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type redirect               --match hl --hl-eq 255 --jump ACCEPT
ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type 130 --match hl --hl-eq 1 --jump ACCEPT
ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type 131 --match hl --hl-eq 1 --jump ACCEPT
ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type 132 --match hl --hl-eq 1 --jump ACCEPT
ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type 143 --match hl --hl-eq 1 --jump ACCEPT
ip6tables --append INPUT  --protocol icmpv6 --jump ndp-slaac
# allow echo requests
ip6tables --append INPUT  --protocol icmpv6 --icmpv6-type echo-request --match conntrack --ctstate NEW --jump ACCEPT
# drop the rest
ip6tables --append INPUT  --protocol icmpv6 --jump DROP

### services
# ssh
ip6tables --append INPUT  --protocol tcp --dport 22 --match conntrack --ctstate NEW --jump ACCEPT
# ssh obscured
ip6tables --append INPUT  --protocol tcp --dport 5000 --match conntrack --ctstate NEW --jump ACCEPT
# random service
#ip6tables --append INPUT  --protocol tcp --dport 1234 --match conntrack --ctstate NEW --jump ACCEPT
# reject the rest
ip6tables --append INPUT  --jump REJECT

### outgoing
ip6tables --append OUTPUT --jump ACCEPT

echo "done!"
	#!/bin/bash

	echo -n "loading ipv4 packet filter... "

	### clear tables
	iptables --flush
	iptables --delete-chain
	iptables --table mangle --flush
	iptables --table mangle --delete-chain


	### default policies
	iptables --policy INPUT DROP
	iptables --policy OUTPUT DROP
	iptables --policy FORWARD DROP


	### loopback
	iptables --append INPUT --in-interface lo --jump ACCEPT
	iptables --append OUTPUT --out-interface lo --jump ACCEPT


	### existing connections
	iptables --append INPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
	iptables --append OUTPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT


	### trashlog chain
	iptables --new-chain trashlog
	iptables --append trashlog --jump LOG --log-level notice --log-prefix "trashlog: "
	iptables --append trashlog --jump DROP


	### invalid packets
	#iptables --append INPUT --match conntrack --ctstate INVALID --jump trashlog
	iptables --append INPUT --match conntrack --ctstate INVALID --jump DROP

	### icmp
	# allow echo requests
	iptables --append INPUT --protocol icmp --icmp-type echo-request --match conntrack --ctstate NEW --jump ACCEPT
	# drop the rest
	iptables --append INPUT --protocol icmp --jump DROP

	### services
	# ssh
	iptables --append INPUT --protocol tcp --dport 22 --match conntrack --ctstate NEW --jump ACCEPT
	# ssh obscured
	iptables --append INPUT --protocol tcp --dport 5000 --match conntrack --ctstate NEW --jump ACCEPT
	# random service
	#iptables --append INPUT --protocol tcp --dport 1234 --match conntrack --ctstate NEW --jump ACCEPT
	# reject the rest
	iptables --append INPUT --jump REJECT

	### outgoing
	iptables --append OUTPUT --jump ACCEPT

	echo "done!"
	#!/bin/bash

	echo -n "loading ipv6 packet filter... "

	### clear tables
	ip6tables --flush
	ip6tables --delete-chain
	ip6tables --table mangle --flush
	ip6tables --table mangle --delete-chain


	### default policies
	ip6tables --policy INPUT DROP
	ip6tables --policy OUTPUT DROP
	ip6tables --policy FORWARD DROP


	### loopback
	ip6tables --append INPUT --in-interface lo --jump ACCEPT
	ip6tables --append OUTPUT --out-interface lo --jump ACCEPT


	### existing connections
	ip6tables --append INPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
	ip6tables --append OUTPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT


	### trashlog chain
	ip6tables --new-chain trashlog
	ip6tables --append trashlog --jump LOG --log-level notice --log-prefix "trashlog: "
	ip6tables --append trashlog --jump DROP


	### invalid packets
	#ip6tables --append INPUT --match conntrack --ctstate INVALID --jump trashlog
	ip6tables --append INPUT --match conntrack --ctstate INVALID --jump DROP

	### bad extensions headers
	ip6tables --append INPUT --match rt --rt-type 0 --jump DROP

	### icmpv6
	# allow neighbor discovery and stateless address autoconfiguration
	ip6tables --new-chain ndp-slaac
	ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type router-solicitation --match hl --hl-eq 255 --jump ACCEPT
	ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type router-advertisement --match hl --hl-eq 255 --jump ACCEPT
	ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type neighbor-solicitation --match hl --hl-eq 255 --jump ACCEPT
	ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type neighbor-advertisement --match hl --hl-eq 255 --jump ACCEPT
	ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type redirect --match hl --hl-eq 255 --jump ACCEPT
	ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type 130 --match hl --hl-eq 1 --jump ACCEPT
	ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type 131 --match hl --hl-eq 1 --jump ACCEPT
	ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type 132 --match hl --hl-eq 1 --jump ACCEPT
	ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type 143 --match hl --hl-eq 1 --jump ACCEPT
	ip6tables --append INPUT --protocol icmpv6 --jump ndp-slaac
	# allow echo requests
	ip6tables --append INPUT --protocol icmpv6 --icmpv6-type echo-request --match conntrack --ctstate NEW --jump ACCEPT
	# drop the rest
	ip6tables --append INPUT --protocol icmpv6 --jump DROP

	### services
	# ssh
	ip6tables --append INPUT --protocol tcp --dport 22 --match conntrack --ctstate NEW --jump ACCEPT
	# ssh obscured
	ip6tables --append INPUT --protocol tcp --dport 5000 --match conntrack --ctstate NEW --jump ACCEPT
	# random service
	#ip6tables --append INPUT --protocol tcp --dport 1234 --match conntrack --ctstate NEW --jump ACCEPT
	# reject the rest
	ip6tables --append INPUT --jump REJECT

	### outgoing
	ip6tables --append OUTPUT --jump ACCEPT

	echo "done!"